CN101060411B - A multi-mode matching method for improving the detection rate and efficiency of intrusion detection system - Google Patents
A multi-mode matching method for improving the detection rate and efficiency of intrusion detection system Download PDFInfo
- Publication number
- CN101060411B CN101060411B CN2007100179204A CN200710017920A CN101060411B CN 101060411 B CN101060411 B CN 101060411B CN 2007100179204 A CN2007100179204 A CN 2007100179204A CN 200710017920 A CN200710017920 A CN 200710017920A CN 101060411 B CN101060411 B CN 101060411B
- Authority
- CN
- China
- Prior art keywords
- suffix
- prefix
- text
- character
- pattern
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to a technical field of network intrusion detection systems (NIDS), specifically to a multi-mode matching method for improving rate and efficiency of network intrusion detection. The present invention aims to provide a multi-mode matching method for improving rate and efficiency of network intrusion detection, in order to overcome the problem of low matching efficiency when the intrusion detection rule set is large in the existing technology. The related multi-mode matching method I NIDS field comprises: (1) pretreatment mode set: building SHIFT table, SUFFIX table and PREFIX table; (2) scanning for search.
Description
Affiliated technical field:
The present invention relates to network invasion monitoring (NIDS) technical field, be specifically related to a kind of multi-mode matching method that improves intruding detection system detection rates and efficient.
Background technology:
In recent years along with the in succession appearance of express network technology; the raising of network speed has all proposed challenge to 3 links of data acquisition, analysis engine, response mechanism of intrusion detection; the speed of any one link is unable to catch up with network speed, all can not realize the real-time guard network security.Most of existing NIDS only has tens detection speed, and along with 100,000,000, the extensive application of gigabit networking, the processing speed of NIDS becomes the bottleneck that affect the intruding detection system application.In NIDS, intercept and capture each packet of network, analyze, mate wherein whether have the feature of certain attack, require a great deal of time and system resource.Along with the network bandwidth increases gradually, require detection system need to strengthen the packet amount of unit interval IT and also will significantly promote the processing speed of packet, otherwise just have a large amount of network data packet loss, thereby greatly affect the detectability of network N IDS.According to the mode of operation of network N IDS, must monitor flows through shares all interior packets of the network segment, then each packet is carried out pattern matching operation.If the detection speed of NIDS does not catch up with the transmission speed of network data, detection system will be missed partial data bag wherein so, thereby causes failing to report, and the accuracy of system and validity are affected.Pattern matching is the employed network data packet inspection technical based on attack signature of NIDS, the advantages such as its analysis speed is fast, rate of false alarm is little are that other analytical methods are incomparable, in a lot of commercial intrusion detection products and research project, for example Dragon, Bro, Snort have adopted pattern matching algorithm.Yet along with various invasion attacking wayses constantly increase, it is also increasing to carry out the required feature database of pattern matching, causes in the situation that adopts same hardware resource and pattern matching algorithm, and system is to the decline of packet processing speed.Therefore for express network, improving intruding detection system detection rates and efficient is present intruding detection system subject matter in the urgent need to address.
A kind of BM algorithm has been proposed in the prior art, the characteristics of algorithm are to consider in the coupling comparison procedure, many situations are that many characters of front all mate and several last characters do not mate, to waste many times if at this moment take from left to right mode to scan, therefore, change mode scan pattern and text from right-to-left into, like this in case find when occurring the character that does not have in the pattern in the text, just pattern, text " to be slipped over " segment distance significantly.But because this algorithm is that it can only improve the efficient of wall scroll rule match to the repeating of monotype, can't improve the efficient of whole rule set coupling, namely when regular number linear growth the time, the linear decline of matching efficiency.Therefore the problem of prior art existence is: when inbreak detection rule collection quantity was huge, its matching efficiency was very low.
Summary of the invention:
The present invention will provide a kind of multi-mode matching method that improves intruding detection system detection rates and efficient, with overcome that prior art exists when inbreak detection rule collection quantity is huge, the low-down technical problem of its matching efficiency.
Technical scheme of the present invention is: a kind of multi-mode matching method that improves intruding detection system detection rates and efficient, comprise the steps,
(1) preliminary treatment set of modes:
The foundation of mobile watch (SHIFT table): when the structure mobile watch, need to consider the comparison of character string B, the value of B should be log
c2M
M is the total sizes of all patterns, M=k*m (m is the minimum length of set of patterns, and k is the number of pattern),
C is alphabetic(al) size;
Mobile watch is that the character string of B comprises an entrance for each possible size, and its size should be so | ∑ |
B(∑ is the fixed character collection)
The foundation of suffix table (SUFFIX table): when movement value is 0, be with B character substring of text suffix and some the pattern suffix match in the set of patterns; Minimize the pattern quantity that need to compare with salted hash Salted, use the integer cryptographic Hash of B the character that calculates when making up mobile watch as the index of another table, this table is called as suffix table SUFFIX, i entrance SUFFIX[i of suffix table], the cryptographic Hash that comprises the last B of an index point character is the mode list of i, and mode list is designated as PATTERN_LIST;
(2) scanning search.
In the above-mentioned steps (1), when movement value is 0, also introduced another table, be called prefix table PREFIX, PREFIX[i] comprised the cryptographic Hash of all patterns A character prefix.
The concrete steps of above-mentioned steps (2) scanning search are:
1. calculate the cryptographic Hash h of the current B that the is scanned character of text;
2. check SHIFT[h] value: if>0, mobile text also forwards step (1) to; Otherwise, forward step (3) to;
3. calculate the cryptographic Hash (from current position left m character) of text prefixes, be called text_prefix;
4. check that each satisfies SUFFIX[h]≤p<SUFFIX[h+1] index p, satisfy to forward step 2.5 to, do not satisfy forwarding end to;
5. as PREFIX[p]=during text_prefix, directly enter step 2.6 matched text and current pattern (present mode is by PATTERN_LIST[p] provide), finish whole process; Forward end to as not satisfying.
In the above-mentioned steps (1), the value of B is that the value of 2, A is 2.The value of A, B is selected as required.
Compared with prior art, advantage of the present invention is:
1, comparative quantity is few: owing to use salted hash Salted that a plurality of character strings are mapped to entrance identical in the mobile watch, thus compressed the size of mobile watch; For fear of comparing with each pattern, minimize the pattern quantity that need to compare with salted hash Salted in the foundation of suffix table (SUFFIX table); When movement value was 0, text need to travel through SUFFIX[i] value mode list pointed is to carry out the pattern suffix match, and in order further to reduce the scope of pattern search, the acceleration search process has been introduced another table, is called prefix table PREFIX.
2, time weak point, efficient is high: the BM algorithm is that single character is compared, and the present invention is the comparison to character string, thereby has greatly shortened operation time, thereby greatly improves matching efficiency.The time of the whole scanning process of this algorithm cost is O (BN/m) (N is the size of text, and m is minimal mode length, and p is the quantity of pattern, and M=m*p is the overall length of pattern), and when m>B, the average time complexity of this algorithm is sublinear.The total time complexity of this algorithm is O (M)+O (BN/m)=O (M+BN/m).
Description of drawings:
Accompanying drawing is the flow chart that the present invention is based on the multi-pattern matching algorithm of BM thought.
Embodiment:
The below will describe the present invention by the embodiment in intruding detection system and accompanying drawing.
Step of the present invention is:
(1) preliminary treatment set of modes: mobile watch (SHIFT table), the foundation of suffix table (SUFFIX table) and prefix table (PREFIX table).
During the structure mobile watch, consider that a block size is the comparison of the character string of B, rather than single character compares; Mobile watch is with deciding when text is scanned, and inspection can be skipped in what characters in the text.
The value of getting B is that the value of 2, A is 2;
Calculate the cryptographic Hash of all patterns A character prefix and put into PREFIX[i];
(2) scanning search:
2.1 calculate the cryptographic Hash h of the current B that the is scanned character of text;
2.2 check SHIFT[h] value: if>0, mobile text also forwards step 2 to.1; Otherwise, forward step 2.3 to;
2.3 calculate the cryptographic Hash of text prefixes, be called text_prefix;
Satisfy SUFFIX[h 2.4 check each]≤p<SUFFIX[h+1] index p, satisfy to forward step 2.5 to, do not satisfy forwarding end to;
2.5 as PREFIX[p]=during text_prefix, directly enter step 2.6 matched text and current pattern, finish whole process; Forward end to as not satisfying.
Can select the value of B and the value of A according to actual conditions.But we think and choose B=2 and A=2 for optimum.
It should be noted last that: above execution mode is the unrestricted technical scheme of the present invention in order to explanation only, although with reference to above-mentioned execution mode the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: still can make amendment or be equal to replacement the present invention, and any modification that does not break away from the spirit and scope of the present invention is replaced with local, and it all should be encompassed in the claim scope of the present invention.
Claims (2)
1. the multi-mode matching method that can improve intruding detection system detection rates and efficient comprises the steps:
(1) structure preliminary treatment set of modes:
The foundation of mobile watch (SHIFT table): when the structure mobile watch, need to consider the comparison of character string B, the value of B should be log
c2M,
M is the total sizes of all patterns, M=k*m, and wherein m is the minimum length of set of patterns, k is the number of pattern,
C is alphabetic(al) size;
Mobile watch is that the character string of B comprises an entrance for each possible size, and its size should be so | ∑ |
BWherein ∑ is the fixed character collection,
The foundation of suffix table (SUFFIX table): when the movement value of target string is 0, be with B character substring of text suffix and some the pattern suffix match in the set of patterns; Minimize the pattern quantity that need to compare with salted hash Salted, use the integer cryptographic Hash of B the character that calculates when making up mobile watch as the index of another table, this table is called as suffix table SUFFIX, i entrance SUFFIX[i of suffix table], the cryptographic Hash that comprises the last B of an index point character is the mode list of i, and mode list is designated as PATTERN_LIST;
(2) scanning search;
The concrete steps of described step (2) scanning search are:
1. calculate the cryptographic Hash h of the current B that the is scanned character of text;
2. check SHIFT[h] value: if 0,1. mobile text also forwards step to; Otherwise, forward step to 3.;
3. calculate the cryptographic Hash of text prefixes, left m character, be called text_prefix from current position;
4. check whether each satisfies the index p of SUFFIX [h]≤p<SUFFIX [h+1], satisfy forwarding step to 5., do not satisfy forwarding end to;
5. as PREFIX[p]=during text_prefix, directly entering next step matched text and current pattern, present mode is provided by PATTERN_LIST [p], finishes whole process; As not satisfying PREFIX[p]=text_prefix forwards end to;
In the described step (1), when the movement value of target string is 0, also introduced another table, be called prefix table PREFIX, PREFIX[i] comprised the cryptographic Hash of all patterns A character prefix.
2. the multi-mode matching method that improves intruding detection system detection rates and efficient as claimed in claim 1, it is characterized in that: in the described step (1), the value of B is that the value of 2, A is 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007100179204A CN101060411B (en) | 2007-05-23 | 2007-05-23 | A multi-mode matching method for improving the detection rate and efficiency of intrusion detection system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007100179204A CN101060411B (en) | 2007-05-23 | 2007-05-23 | A multi-mode matching method for improving the detection rate and efficiency of intrusion detection system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101060411A CN101060411A (en) | 2007-10-24 |
| CN101060411B true CN101060411B (en) | 2013-04-03 |
Family
ID=38866320
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007100179204A Expired - Fee Related CN101060411B (en) | 2007-05-23 | 2007-05-23 | A multi-mode matching method for improving the detection rate and efficiency of intrusion detection system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101060411B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101409623B (en) * | 2008-11-26 | 2010-09-01 | 湖南大学 | Mode matching method facing to high speed network |
| CN104954346B (en) * | 2014-03-31 | 2018-12-18 | 北京奇安信科技有限公司 | Attack recognition method and device based on object analysis |
| CN104202249A (en) * | 2014-07-25 | 2014-12-10 | 汉柏科技有限公司 | Method and device of message forwarding |
| CN105701093A (en) * | 2014-11-24 | 2016-06-22 | 中兴通讯股份有限公司 | Automaton -based pattern matching method and device |
| CN108809908B (en) * | 2017-05-04 | 2020-05-26 | 中国科学院声学研究所 | URL filtering method and system based on window selection |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1384639A (en) * | 2002-06-11 | 2002-12-11 | 华中科技大学 | Distributed dynamic network security protecting system |
| CN1561032A (en) * | 2004-02-24 | 2005-01-05 | 中国科学院计算技术研究所 | Multiline program loading equialization method of invading detection |
| CN1581768A (en) * | 2003-08-04 | 2005-02-16 | 联想(北京)有限公司 | Invasion detecting method |
-
2007
- 2007-05-23 CN CN2007100179204A patent/CN101060411B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1384639A (en) * | 2002-06-11 | 2002-12-11 | 华中科技大学 | Distributed dynamic network security protecting system |
| CN1581768A (en) * | 2003-08-04 | 2005-02-16 | 联想(北京)有限公司 | Invasion detecting method |
| CN1561032A (en) * | 2004-02-24 | 2005-01-05 | 中国科学院计算技术研究所 | Multiline program loading equialization method of invading detection |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101060411A (en) | 2007-10-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2021227322A1 (en) | Ddos attack detection and defense method for sdn environment | |
| CN101060411B (en) | A multi-mode matching method for improving the detection rate and efficiency of intrusion detection system | |
| CN102075511B (en) | Data matching equipment and method as well as network intrusion detection equipment and method | |
| CN101267313B (en) | Flooding attack detection method and detection device | |
| KR100818306B1 (en) | Apparatus and method for extracting signature candidates of attacking packets | |
| CN105208037A (en) | DoS/DDoS attack detecting and filtering method based on light-weight intrusion detection | |
| US20050111460A1 (en) | State-transition based network intrusion detection | |
| KR100960117B1 (en) | Signature Pattern Matching Method, the System for the Same and Computer Readable Medium Storing a Signature Pattern | |
| CN104850780A (en) | Discrimination method for advanced persistent threat attack | |
| Aldwairi et al. | Exhaust: Optimizing wu-manber pattern matching for intrusion detection using bloom filters | |
| CN112532642B (en) | Industrial control system network intrusion detection method based on improved Suricata engine | |
| CN111600876B (en) | Slow denial of service attack detection method based on MFOPA algorithm | |
| CN114021135B (en) | LDoS attack detection and defense method based on R-SAX | |
| CN103475653A (en) | Method for detecting network data package | |
| CN1968278A (en) | Data packet content analysis and processing method and system | |
| KR100994746B1 (en) | The Method and System using Pattern Matching Unit for Detecting Malicious Traffic | |
| CN112257076B (en) | Vulnerability detection method based on random detection algorithm and information aggregation | |
| KR101535529B1 (en) | Method for collecting the suspicious file and trace information to analysis the ATP attack | |
| US8108387B2 (en) | Method of detecting character string pattern at high speed using layered shift tables | |
| Zali et al. | Real-time attack scenario detection via intrusion detection alert correlation | |
| CN112788058A (en) | LDoS attack detection and mitigation scheme based on SDN controller | |
| Yuan et al. | An improved pattern matching algorithm | |
| Wang et al. | Strifa: Stride finite automata for high-speed regular expression matching in network intrusion detection systems | |
| KR101060733B1 (en) | Method and device for network intrusion detection using application protocol recognition | |
| CN110543548A (en) | multi-keyword rapid matching method and matching system for communication content of Internet of things equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130403 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |